OpenLDAP: using FreeBSD's /etc/login.conf attributes with external LDAP users?
Matthew Seaman
matthew at freebsd.org
Wed Jan 20 10:20:31 UTC 2016
On 01/20/16 09:56, O. Hartmann wrote:
> Using lates net/openldap24-server with FreeBSD as server and login target for
> several users results in a problem.
Use nss-pam-ldapd -- it's way better than pam-ldap.
> Via attribute :rquirehome: in /etc/login.conf (i.e. added to class "standard")
> one can prevent users from login without a valid home directory. Otherwise a
> user with a valid LDAP entry will end up in "/". I'd like to add a standard
> class for any user log in (via ssh) on that specific server (only administrative
> staff has local logins in /etc/passwd, all users are located in LDAP DIT).
>
> I searched the net for solutions and found one suggesting reverting the
> "default" behaviour to have :requirehome: and use another class for all users
> local in /etc/master.passwd (i.e. "privileged") - but this seems somehow odd
> and in a hurry, updating software or similar, new facility users, like the
> recently added user "_ypldap" will end up in the default class with
> prerquisited a daemon will fail with. I think this could be too much of a
> trap/pitfall.
>
> So, the question is whether there is a more elegant/semantic way to do so.
>
>
> Please CC me, I do not subscribe this list,
>
> thanks in advance and kind regards,
One way round this problem is to use pam_mkhomedir -- that way you can
ensure that anyone that can log in has a home directory (automatically
created for them if necessary.)
Of course this means that user's SSH authorized_keys will not be
available automatically in their home dir -- you can handle that in
several different ways: use Kerberos / GSSAPI for authentication, or use
LDAP to serve the public keys (you'll need to write a script that looks
up the users' key in LDAP and returns it, which you add as
AuthorizedKeysCommand in /etc/ssh/sshd_config).
If you need to restrict which machines various people in your LDAP
directory can log into, it would be better to have an explicit mechanism
within LDAP rather than relying on an implicit property of the account,
like existence of the home directory or not.
Cheers,
Matthew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20160120/1a6a8f26/attachment.sig>
More information about the freebsd-questions
mailing list